Schneier on Security
A blog covering security and security technology.
« Election Fraud in Kentucky |
| Surviving a Suicide Bombing »
March 25, 2009
Sniffing Keyboard Keystrokes with a Laser
Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping that's typically used for speech recognition applications, to measure the similarity of signals.
Line-of-sight on the laptop is needed, but it works through a glass window, they said. Using an infrared laser would prevent a victim from knowing they were being spied on.
Posted on March 25, 2009 at 6:59 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
While windows transmit visible light just fine, they don't transmit all wavelengths of infrared light (hence the greenhouse effect). So it depends on the wavelength of the laser, but I'm not sure an infrared laser could be used through a window. So it may be one or the other for infrared or through windows.
isn't that just a laser microphone based audio sidechannel attack then?
Not that surprising. As I type, I notice just the pattern of the sound itself is distinctive enough there is a fairly good probability that, after statistical matching of a few known samples, it would be a fairly simple bit of number crunching to figure out what gets typed based on a regular microphone.
A variant on acoustic cryptanalysis?
As someone once (or twice) said, there are no more secrets. This attack, with the laser-acoustic gizmo-doohickey, should even work if you are sitting in one of Control's cones of silence.
I'd guess that the cone of silence, when exposed to laser light, would cleverly foil the attacker. By bursting into flames.
I am curious about the range that could be pulled off. For instance, could a satellite equipped with a powerful enough laser do this from space, an air plane or a unmanned drone.
Everything old is new again! :-) I would say that old work is more impressive than this new stuff. The only thing this new method seems to add is the ability to get at the sound/vibrations of the keyboard directly in an otherwise noisy room.
You could beat this -- at least the "invisibility" part -- with anything that can see infrared... which would include most of those cheap, crummy CMOS webcams.
On a less serious note... they've invented "dynamic time warping" and the best that they can do with it is read KEYSTROKES??? ;)
You probably can't because you need to aim the laser precisely so that the beam is reflected to your receiver. The summary makes it sound easier than it really is. Also, either the laser or the receiver also need to be level with, or higher than the targeted window. E.g. you can't listen in on the 2nd floor from the street level.
The window doesn't need to be transparent to your laser wavelength, it just needs to reflect it.
intgr, if the window reflects your laser's wavelength, what signal comes from the keyboard?
The sound vibrations of your keys vibrates the window, and the laser reflects those window vibrations.
@Steven: windows do let infrared pass, otherwise you wouldn't hear the heat when the sun is reflecting against it.
@Intgr, @Me Too: the point is reaching the laptop with the laser, not the window itself (which reflects sounds and not the laptop vibrations which are used for the attack)
Both visible and infrared laser will reflect enough after a window pass from the laptop case.
This extends previous acoustic attacks on longer range and different precision (as case vibrations are used and not the sound of the key)
@me too, if reflections from the window sufficed, they wouldn't need line of sight to the laptop. (Room noise dominates at the window.)
"windows do let infrared pass, otherwise you wouldn't hear [feel?] the heat when the sun is reflecting against it."
They do let infrared pass (I think the original poster was thinking of medium-wave and shorter UV light), but your rationalization is flawed. I think that the heat you feel near sun-exposed windows is due more to absorption, followed by reradiation, conduction, and/or convection, than it does to transparency. If transparency explained it then then the interior of a car driven out of an underground parking garage at noon would heat up as soon as it was exposed to sunlight. Most commonly-used glass has a fairly high specific heat.
If you want to find out how IR-transparent a window is, you can use a TV remote-control and an inexpensive digital camera. Aim the remote at the camera, and press a button like channel-up. Look in the LCD viewfinder of the camera and you'll see the remote blinking. Do the same through the window. If you see no blinking, the glass is IR-opaque. IR films on windows (or inside them) will affect this. But IR lasers are also pretty powerful, so even a 99% opacity to IR might still let enough radiation through for this to work.
A couple of things,
I suspect that their "microphone" is very unlikley to be optomised for the best spectral content which is a bit of a disadvantage for them.
In practice laser mics do not need to be "line of sight" with the noise source (ie the keyboard). It is often possible in a quite room to use a more usefull object such as a vase or bowl or other round object. It has actually proved possible to use such things as the inside pain of double glazing, screens of monitors and even the glass in pictures.
Also you get better results with the laser and picup optics not being co-located. Also using more than one laser and pickup enables you to null out some interferance effects.
With regards to IR lasers most short wavelength IR (ie just below red) will go through most types of glass without problems. However people are starting to put "solar foil" or equivalent filters on windows for the energy saving properties. However they tend to trap long wavelength IR (ie what we feel as radiant heat) that is re-emited from objects that absorb short IR and visable light.
@ spaceman spiff,
"As someone once (or twice) said, there are no more secrets."
They are wrong...
There are plenty of secrets inside your's and others heads (for now ;)
It's when you try to communicate or use them that the trouble starts. Your comms channel might be secure but the end points are not when humans are involved 8(
If you need to have line of sight of the laptop, why not just look at what the user is typing?
As Clive said, you don't need to be line of site. Most objects you'll hit with a laser mic won't be perfectly reflective, but will exhibit diffuse scattering instead, so you don't even need to be lined up on your target.
Of course, using an object that reflects IR strongly is better, being at the perfect angle is better (which is why curved surfaces are good, much better chance of getting the right angle somewhere on it), and having a target closer to where the sound is generated is better. But with a bright enough laser, you can get plenty of diffuse reflection to measure vibration even an on poorly angled surface.
What matters more is getting a good acoustical surface. Hollow objects such as bowls, cups, work great for this. Just beware resonant frequencies.
@Steven, and all others wondering about IR light passing through glass.
We in the biomedical sciences carry out experiments every single day involving laser light in ranges not visible to the human eye (far-red to IR) passing through glass on the way to the specimen (not including microscope lenses). I assure you laser light invisible to your eye can pass through glass just fine.
So to thwart this attack, by the microscope analogy maybe try some mirrors to deflect the light, smoke for drama, or wear chrome gloves perhaps? That should scrable it ... Hehe
Yeah, what we need in the middle of this financial crisis is MORE smoke and mirrors.
I don't know if it would be an issue in this type of application but from what I can remember, light from a laser is polarised.
Depending on the environment, that could either be an advantage or difficulty for an attacker, namely because a reflective surface in itself will cause any incident light to be polarised upon reflection. If the target is to be say the back of the screen of a laptop and there is a window in the way, and assuming they are angled on different axis - would any of the laser light actually be reflected?
"I assure you laser light invisible to your eye can pass through glass just fine."
Yes and no...
The glass you are using in a lab is predominatly "blown", "moulded" or "ground".
It is not "plate glass" that has been tempered. The process of making plate glass old man Pilkington worked out (floating it on molten metal) leaves a thin residue of metal on the surface. Further tempering or anealing which considerably strengthans the glass also affects it's optical properties.
That said the effects tend not to be broad band so having two or three different wavelength IR lasers will most probably ensure you can get a working signal.
"I don't know if it would be an issue in this type of application but from what I can remember, light from a laser is polarised."
Yes laser light is EM radiation which can be polarised in two main ways (plane or circular) and further the polarisation can be orthagonal to another EM wave polarised the same way (vertical-v-horizontal, lefthand circular-v-righthand circular). Simply reflecting an EM wave can change it's polarisation even if the reflecting medium is not polarised.
In most cases having the vibrating medium polarise the beam is advantageous if you can get at the apropriate angle as you can use the change in polarisation as "free gain". In that you can use the change in polarisation to reduce incident interfering signals thus giving your (very limited dynamic range) opto receiver a better chance of operating at it's most appropriate sensitivity (chances are the lowest noise and best linear points do not coincide).
Many posters here seem confused about exactly what is meant by infrared light; it covers a pretty broad range of wavelengths from near-IR to thermal. Cheap IR optoelectronics will be in the very near infrared, below 1µ (1000 nm) — at this wavelength your common window glass isn't going to treat the light much differently than it treats red visible light. (For some example curves: http://irc.nrc-cnrc.gc.ca/pubs/cbd/cbd060_e.html ). Various treated glasses are more absorbent in that region, but not enough to really matter for this application.
The transparency of window glass to the IR band of light is not the issue. The issue is acoustic baffling or dampening of the keyboard vibrations.
Put the laptop or keyboard inside an acoustically baffled enclosure, such that only the screen and keyboard are visible, and only from the front.
Or develop new "secure" keyboards with less klicky-klack vibration and noise.
The story implies the technique may work by bouncing IR off the laptop's surface, which modulates the reflection with acoustic vibrations. If so, a simple "stealth" covering over most of the laptop might suffice as a deterent.
Also, since most offices are cube-farms, with the sound of hundreds of keyboards being operated simultaneously, I suspect in actual use this would be more difficult than the story implies.
You gotta love this place. Many informative viewpoints, some based on empirical evidence others not so much. I mean it's nice to speculate, but come on ... some of you a stretching it.
Another solution would be to learn Dvorak or another keyboarding standard other than QWERTY. That way when you type what the person listening thinks is "asdf", the computer interprets it as "aoeu" (and so forth).
Of course, like many solutions (think green energy), that only works for the minority of the population. If the majority were to adopt a different standard, then your spies would be looking for that standard. The key here is to use something different than the norm.
"Another solution would be to learn Dvorak or another keyboarding standard other than QWERTY."
No it would not work.
Each keyboard would make a different sound. Therefore what they do is record some of your typing for a while and then do a simple bit of crypto analysis (ie simple substitution decipher) to work out which click belongs to which key.
So it would be virtualy keyboard independent.
There is however one keyboard it would not work for if you took apropriate precautions...
A few years ago a company brought out a "virtual keyboard" that used a light source to project virtual keys onto any flat surface.
It was very "geeky" and comparitivly expensive, and I don't think it sold too well (the reviewer indicated it was not up to much and had to be used in dim lighting etc).
However if you used one and moved it or the surface it was projected onto every couple of words then the sound of each finger fall (ie virtual keypress) would be different...
@Clive Robinson: "A few years ago a company brought out a "virtual keyboard" that used a light source to project virtual keys onto any flat surface."
Here is the keyboard. It is still for sale but is pricey at $200. http://www.virtual-laser-keyboard.com/
So curtains are security tools.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.